Summary
CVE-2026-24858 is a critical Fortinet authentication bypass. Attackers with a FortiCloud account and a registered device can access other customers’ devices when SSO is enabled. The flaw stems from improper SSO isolation and has been exploited to create admin accounts and access configurations. Patches are available, and SSO is now restricted to fixed versions—immediate upgrades and log checks are needed.
Urgent Actions Required
- Update all affected Fortinet devices to patched firmware; FortiCloud SSO works only on fixed versions.
- If an immediate upgrade isn’t possible, disable FortiCloud SSO on affected devices.
- Review administrative logs for FortiCloud SSO login activity, especially entries followed by configuration downloads or privilege changes.
- Check and remove unauthorized admin accounts.
- Respond to any signs of unauthorized SSO access with incident procedures.
Which Systems Are Vulnerable to CVE-2026-24858?
Technical Overview
- Vulnerability Type: Authentication Bypass Using an Alternate Path or Channel (CWE-288)
- Affected Software/Versions:
- FortiAnalyzer: 7.6.0–7.6.5, 7.4.0–7.4.9, 7.2.0–7.2.11, 7.0.0–7.0.15
- FortiManager: 7.6.0–7.6.5, 7.4.0–7.4.9, 7.2.0–7.2.11, 7.0.0–7.0.15
- FortiOS: 7.6.0–7.6.5, 7.4.0–7.4.10, 7.2.0–7.2.12, 7.0.0–7.0.18
- FortiProxy: 7.6.0–7.6.4, 7.4.0–7.4.12, 7.2.0–7.2.15, 7.0.0–7.0.22
- FortiWeb: 8.0.0–8.0.3, 7.6.0–7.6.6, 7.4.0–7.4.11
- Under Investigation: FortiSwitch Manager
- Attack Vector: Network (FortiCloud SSO authentication path)
- CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
PSIRT | FortiGuard Labs
How Does the CVE-2026-24858 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-24858?
Vulnerability Root Cause:
This vulnerability stems from weak isolation in FortiCloud SSO. When enabled, certain Fortinet products may accept SSO authentication from one account on devices belonging to other accounts, allowing attackers to bypass authorization and access devices without proper credentials.
How Can You Mitigate CVE-2026-24858?
If immediate patching is delayed or not possible:
- Disable FortiCloud Single Sign-On (SSO) on affected devices by turning off the “Allow administrative login using FortiCloud SSO” option in system settings or via CLI.
- Restrict administrative access to trusted management networks and limit exposure of management interfaces.
- Review administrator accounts and remove any unauthorized or suspicious local admin users created after SSO login events.
- Examine device logs for unexpected FortiCloud SSO authentication activity, especially followed by configuration downloads or account creation.
- Treat any confirmed indicators of unauthorized SSO access as a potential compromise and follow incident response procedures.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- Network Security Appliances – Fortinet devices running FortiOS with FortiCloud SSO enabled
- Management Platforms – FortiManager and FortiAnalyzer instances using FortiCloud SSO for administrative access
- Proxy and Gateway Systems – FortiProxy devices configured with FortiCloud SSO authentication
- Business-Critical Systems at Risk:
- Administrative Management Interfaces – Devices where FortiCloud SSO allows administrative login
- Network devices – Firewalls and gateways controlling traffic and VPNs
- Centralized management – Systems managing multiple Fortinet devices across accounts
- Exposure Level:
- Devices with FortiCloud SSO Enabled – Especially where the SSO option was left enabled during FortiCare registration
- Internet-Accessible Management Interfaces – Systems reachable over the network for administrative access
- Multi-Account or Multi-Tenant Environments – Scenarios where devices are registered under different FortiCloud accounts
Will Patching CVE-2026-24858 Cause Downtime?
Patch application impact: Low. Applying Fortinet’s patch may cause brief management downtime.
How Can You Detect CVE-2026-24858 Exploitation?
- Indicators of Compromise (IOCs/IOAs):
- FortiCloud SSO authentication attempts originating from devices running unpatched or affected FortiOS versions.
- Management-plane access requests are denied due to FortiCloud SSO being restricted to patched devices only.
Remediation & Response
- Remediation Timeline:
- Immediate: Upgrade affected FortiOS devices to Fortinet’s fixed firmware and ensure FortiCloud SSO is allowed only from patched systems.
- Short term: Confirm all managed devices are running supported, remediated versions and remove or isolate any unpatched instances.
- Rollback Plan:
- If issues arise after upgrading, revert to the last stable FortiOS version approved by Fortinet and temporarily disable FortiCloud SSO access until remediation is revalidated.
- Record version changes, timing, and actions taken in internal change-management records.
- Incident Response Considerations:
- Identify devices that are authenticated via FortiCloud SSO before patching and review their management activity.
- Check for signs of cross-account device access or configuration changes.
- After remediation, restrict FortiCloud SSO usage to patched devices only and continue monitoring for unauthorized management access.
Compliance & Governance Notes
- Audit Trail Requirement:
- Log all FortiCloud SSO authentication events, including timestamps, source accounts, and devices.
- Review logs for newly created local administrator accounts and suspicious cross-account access.
- Monitor for unauthorized configuration changes, including SSO enablement or administrative activity on patched devices.
- Policy Alignment:
- Use FortiCloud SSO only on patched devices.
- Keep monitoring for unauthorized admin access.
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 | Critical severity, reflecting high impact and active exploitation in the wild |
| Attack Vector | Network | Can be exploited remotely via FortiCloud SSO without local access |
| Attack Complexity | Low | No special conditions required beyond having a FortiCloud account and a registered device |
| Privileges Required | None | Exploitation does not require any credentials from the target device |
| User Interaction | None | Exploitation does not require any action by the target user |
| Scope | UnChanged | Impact is limited to the vulnerable Fortinet devices where SSO is enabled |
| Confidentiality Impact | High | Attackers can access other users’ devices and download configurations, exposing sensitive data |
| Integrity Impact | High | Attackers can create local admin accounts, modify configurations, and maintain persistence |
| Availability Impact | High | Exploitation can compromise device operations, potentially affecting service availability |
